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Etedtvtiic casiilo gaming with atithetiticalion and impi-oved secuHty 
luti-odufctioii 

the present iiivention tektes genemlly to ele&ko»k gaming jnachlnes 
or consoles and in particular the Invention provides an Improved system for 
executing casino games In ftAM as opposed to the conventional unalterable 
fiOKi. tlie improvements provide an authentication process based upon 
digital signatures, with the US. iDlgltal Signature Standard (USS) being the 
preferred means of implementation. 

for the sake of clarity the following terms are defined for the purpose 
of this specification. 

A eattibllHB machine , usually referred to as a gaming machine, is a 
traditional gaming machine. Typical examples include slot machines of the 
type made by Aristocrat Leisure Industries or iGt. 

A casino refers to the operator of gambling machines. 

A digital siimatute Is a pair of lai:ge numbers represented in a computer 
as strings of binary digits. Ilie digital signature is computed using a set of 
rules tl.e., the tISA] and a set of parameters such that the identiiy of the 
signatory and Integrity of the data can be verified. 

Strotie encrvpfion is the encryption of data such that it Is 
coitiputatlonally infeasible for a third party - for example a government 
agency - to retrieve the encrypted data witiiout a key. 

A hash, or messaae dleesL is the output from a function that produces 
a value that is unique for any message input into it. A one-way hash 
produces an output that is computationally dlfilcult to relate to the inpui It 
is also computationally difficult to produce two different messages with the 
same message digest 

An unforeeable log is produced by chaining together hash values such 
that the nth entry in the log is dependent on the tn-l)'h entry, and thus 
previous entries cannot be altered without re-computing the whole chain. 

A loBic cage is a secure area inside the gaming machine that tannot be 
accessed without sufficient security clearance. 
Retereuces 

"the lDi|ital Signature Standard" US. l^ederal Information t>rocessing 
Standards l>ubllcation IfiB 

'the Secure Mash Standard" US. f'ederal Information Processing 
Standards Publication lSO-1 
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"Cryptographic Support for Secure Logs on Unti-usted Machines" by 
flruce Schnelet and John kelsey (available at 
http://www.counterpanB.cotti/secui-B-log8. html) 
Sadtgi-dund oFtltalMVMitiaM 

traditionally, inlcraprocessor based gaming machines stot« thelt 
pit}gratti contents In unalterable tLOU ot moU. thiring installation and 
after a large laclcpot payout, the machine is physically Inspected and the 
Ef ROMs are removed. These MOMs ate placed In a verlflcation device 
which produces an output string using a known algorithm usually refetted to 
as a hash function, this string Is compared against a string that has been 
already generated when the game software was approved by the gaming 
Jurisdiction. Authentication is achieved by a match of tbe approved string 
and the M>ltOM generated string. 

the main disadvantage of such a system is that the curtent limited 
capacity of £PROM technology ensures that games cannot be as sophisticated 
as If they were stored in an alternative medium such as a hard disk or CD- 
ROM. the other problem with using liAM is that it cannot be extracted and 
placed In a verification device, since the contents of the HAM are necessarily 
volattle. 

Another system, disclosed and described in U.S. Pat No. 9.643,088 
uses a private key to encrypt a message digest of the approved copy of the 
software, and thus produce an unalterable digital signature which can be 
decrypted with a corresponding public key and compared against a message 
digest generated by an unalterable tlPftOM in the gaming machine. 

the disadvantage of the above Invention is that it relies on strong 
encryption, currently sublect to export restrictions from the U.S. and other 
countries, this software can only be signed by one party and if a single 
private key Is compromised, the whole system is compromised. 

A related problem that exists Is that of version control. Once a gaming 
machine software program Is found to be faulty, a modification or 'pateh' is 
usually distributed. Unfortunately, conventional mLOU based machines, 
and the disclosed system above, have no method Implemented of ensuring 
that the earlier version of the software is not re-installed, either deliberately 
or by accident, later. Once software Is approved, It Is Impossible for the 
machine to revoke that approval. If a rogue element was able to 'sneak past' a 
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Jurisdiction A dubious piece of softwai-e. tliefe would be no way lo slop It 
beitig used lu a casltio, even aftet delectloa 
Stimmarv of the Itiveutf on 

the IttVBttUott ptovities a gamiog machlue with etthauced capabllliy 
for storing games due to enhanced security and authentJcatlon capabilities. 

According to a first aspect the present invention provides a 
programmable controller, including a readable and writable storage means to 
hold a program during its execution by the programmable controller, and 
program authentication means comprising digital signature verification 
means which verifies a digital signature associated with the program and 
prevents execution of the program if the digital signature is not valid. 

According to a second aspect the present invention provides a method 
of verifying a program or a program component for a programmable 
controller. Including a readable and writable storage means to hold a program 
during its execution by the programmable controller, and program 
authentication means comprising digital signature verification means which 
verifies a digital signature associated with the progiem, and the method 
Including a step of verifying the digital signature against a key, and 
preventing execution of the pitjgram if the digital signature is not valid. 

I>referafaly. the digital signature is generated by a method that does not 
Include encryption such that de-encryption is not performed during the 
digital signature verification. 

According to a third aspect the present invention provides a 
progmmmafale controller, including a readable and writable storage means to 
hold a program during its execution by the programmable contioUer, and 
program authenticallon means comprising digital signature veriflcaHon 
means which verifies each of a plurality of digital signatures associated with 
the program and prevents execution of the program if any one of the digital 
signatures Is not valid. 

According to a fourth aspect the present invention provides a method 
of verifying a program or a program component for a programmable 
controller, Including a readable and writable storage means to hold a program 
during its execution by the programmable controller, and program 
authentication means comprising digital signature verification means which 
verifies each of a plurality of digital slgnatui-es associated with the program, 
and the method Including steps of verifying each of the digital signatures 
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against a respective key. and preventing execution of the program It any otte 
of the digital signatures is not valid. 

Preferably the or each tllgllal signature is generated by a method that 
does not IncludB encryption such that de-encryption is not performed duiriSg 
the digital signature verification. 

In one embodiment, the programmable controller is used to control the 
operation of a game played on an electronic gaming machine and the slgfied 
program is a game program or a component of e game program. 

Merably multiple signatures may be applied to the game softwara, to 
ensure that only software approved by not only the manufacturer, but also 
the Jurisdictional authority and optionally the casino itself, is executed hy 
the machine 

Preferably also a system is provided for revoking signature keys, this 
can be password based - a password Is entered which allows one of the 
public signatures stored in the machine to be changed. Alternatively, a 
revocation certificate can be used, which must be valid, or the revocation 
system can be time based, where the machine stores a set of signatures, good 
ibr say Itl years, and the current active signature is based upon the cunent 
system clock. 

A system of equivalent signatures is also preferably provided, such that 
any one of these signatures can be used as part of the verification. Ideally a 
manufacturer will have at least one signature for its office In each 
jurisdicUon. Any one could be used to sign a game, but it would be apparent 
in tile event of a problem where the responsibility would He, and could be 
revoked easily. 

Preferably a system for version control is also Included, such tiiat once 
a later version of software runs on a gaming machine it is tiien impossible to 
run an earlier version of the same software, this would preferably 
permanentiy revoke faulty games once a fix had been Issued. 

Preferably any signature and version changes are held in secure 
unforgeable logs updated after each change to help detect possible fraud.- 
Preferably also the unforgeable logs are implemented using tamper-proof 
devices such as smartcards to ensure tiiat the log can never be deleted. 
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Embodiments of the pfesent Itiventloii will now be described by way of 
example with i-eference to the accompanylttg drawings in which: 

figure 1 Illustrates a conventional gaming madilne in wliicii the 
5 present Invention may be Implemented; 

figure 2 Is a block diagram of a control unit according to the present 
Ittventloii; 

l^lgure 3 Is a diagrammatic representation of a method of signature 
generation and verification according to the present Inventiott; 

Id Figure 4 Is a flow diagram of a software approval process accottUng to 

the present invention; and 

Figure S Is a flow diagram Illustrating a method of executing approved 
software according to the present invention. 
Petfllled Oescrintioa of the ptetbrted embodlfflBMig 

IS In the follovidng detailed description the methodology of the 

embodiment will be described, and it is to be understood that it is ivlthltt 
tile capafaiUties of tile non-inventive worker in tiie art to Inltoduce the 
methodology on any standard microprocessor-based gaming machine or 
gaming console by means of appropriate programming. 

20 Referring to Figure 1 of tiie drawings, tiie first embodiment of tiie 

Inventlofl Is illustrated In which a slot machine 40, of the type having a video 
display screen 41 which displays a plurality of rotatable reels 42 carrying 
symbols 43. Is arranged to pay a prize on tiie occurrence of a predetermined 
symbol or combination of symbols. 

29 In the slot machine 40 lUustraled In Figure 1, tiie game Is Initiated by a 
push butbn 44, however, it will be recognized by persons skilled in tiie art 
tiiat tills operating mechanism might be replaced by a pull handle or otiier 
fype of actuator In other embodiments of the invention, the top box 4B on 
top of tiie slot machine 40 carries tiie artwork panel 35 which displays tiie 

30 various winning combinations for which a prize Is paid on this machine. 

the program which Implements tiie game and user Interface Is run on 
a standard gaming machine control processor lOD as Illustrated schematically 
in Figure 2. this processor forms part of a conti-oller 110 which drives tiie 
video dlsplayscreen 141 and receives iHput signals from sensoi-s 144. the 
35 setisors 144 may be touch sensors, however, In alternative embodiments 
tiiese may be replaced by a pull handle or another type of actuator such as 
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buttdtt 44 In figure 1. the conttoller 110 also receives Input pulses fi-om A 
mechanism 120 Intllcatlng the user has provided sufficient credit to begin 
playing, the mechanism 120 may be a coin Input chute, a bank note 
acceptor (bill acceptor), a creSTt car3 reader, or oK t^^ of vairtJatibii 
device, the controller 120 also drives a payout mechajilBm 130 which fot 
example may be a coin ou^ul 

the controller 110 also includes UOU 170 in which fixed and sectin 
pttjgwm components are held, this RDM may also contain part ot all of a 
program to perform a program verification function for programs rumilng on 
the CPU 100 out of MM 150 or loaded onto or from the disk 100. 

Alternatively, the program verification may be performed by a stand 
alone verification system 140 interposed between the RAM 150, the disk IBO 
and the CPU 100. the verification system may make use of a tamper proof 
storage element such as a smart card IflO (or a device containing a smart catd 
chip, or the verification system 140 may itself be implemented as a smart 
card Of smart card chip In which case, it will not requite the separate smart 
card 160. An Input/Output function 190 is also provided for the CPU id 
communicate with a gaming machine network for admlnlstmtton 
participation In system wide prizes and bonuses and for downloading of 
game programs. 

the game played on the machine shown in figures 1 and 2 is a 
relatively standard game which includes a 3 by 5 symbol display and allows 
multiple pay lines. 

Slot machines such as those of the type described with reference to 
figures 1 and 2 can be adapted to embody the present Invention with 
generally only a software change to modify the functions of some of the user 
interfaces of the machine. 

the system, when built will consist of an electronic gaming machine, 
with standard features such as graphics capability, a monitor, sound output 
and interfaces to gaming hardware such as hoppers, bill acceptoM etc. the 
gaming machine would also have a sophisticated centml processor, say a 
fentium or PowerPC for example, with a large amount of RAM, a storage 
device such as a hard disk, Ct)-1^0M or remote network storage and 
optionally a smartcard interface. 

the machine would furthermore have an unalterable fPROM which 
would have stored in it program code to perform the DSS algorithm, also 
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know as the OSA. It would also coiilaln coda to peffotm the Secute Hash 
Algorithm (SttA-l), the deslgtiated U.S. fedeml standaitl message digest 
algorithm, this £PROM would be able to be extracted and Inspected by the 
traditional means, in alternative imtjlementations, other digital slghatutt 
5 algorithms could be used such as GOSt, ESlGN ot even the pievlously 
disclosed RSA method which inquires encryption. 

Pigura 3. copied horn the U.S. l^'ederal standard ^S lBD-1. describes 
the opetations that produce and veriiy a digital signature using USA and 
SMA-1. An Important distinguishing characteristic of this system is that it 

10 does not use encryption to produce a digital signature. It is thus not subject 
to export restrictions from the US and other countries. 

tlach set of software that is to be Installed In any gaming machhie at 
present must be approved, both by the gaming jurtsdictlonQl authority and by 
the machine manufacturer, tt also may need to be approved by the casino ill 

IS which the machine will reside. In the praferred implementation, all 

interested parties will digitally sign each piece of approved software prior to 
installation, the process of game softwara being produced, approved and 
authenticated would proceed as In IMgure 4. 

these signatures will be stored with the software on a mass storage 

20 device iiislde the gaming machine. When the machine needs to load a piece 
of software, or upon an external command after a significant event such as a 
jackpot payout, It will execute the SMA-1 program code In the fiPROM on the 
softwara being loaded, and then perform a USA veriflcatlott operation using 
the SMA-1 output as one of the parameters, the USA verification operation 

2S will be rapeated for every digital signatura stored with the softwara, and all 
must be valid, so that it is impossible to execute program code that has not 
been approved by the manufacturer, the lurisdictional authority and 
optionally the casino and/or other parties, the process of executing pra- 
approved softwara would proceed as in figure S. 

30 A significant benefit of multiple slgnaturas, as opposed to other 

disclosed systems which use only one, Is that It protects all parties fi-om a 
rogue element working within either the manufacturar, the jm-lsdlctlon or the 
casino, to successfully Install a fraudulent piece of softwara In a gaming 
machine that uses this system would requira a concerted conspiracy 

3S Involving trusted personnel working for all parlies. 
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to perform the digital slgwature verlflcatloti. 11 Is alsd necessary tliat 
the machliie store public keys for the appropriate parties - Jurisdiction, casino 
and manufacturer. In the preferred Implementation, these keys are stored In 
iMoE wTilcli can be moHlffed at suilabre liiiiBs by i pwgwni'sIoiBa'l^ 
MHOM, under strict security conditions, this enables signatures to be 
revobd if compromised, or periodically updated, tn an alternative 
impleffientatioH. a plurality of signature public keys are stored in the 
unalterable tPWU and variables stored in tMOU indicate which of these 
signatures are active. In another alternative Implementation, a tamper-proof 
device such as a smartcard stores the public keys, the program code tn the 
fit^OM passes the output from the StlA-1 algorithm to the smartcard aldttg 
with the signature values stored with the software, the smartcard then 
performs the t)SS or other signature verification and rehiins either an 
authentication or denial code to the gaming machine. Once revoked, the 
smartcard will not allow keys to be re-enabled. 

Since it will be possible to change the digital signatures that 
authenticate software running in the machine, It is important that an 
unfoi;geable log is kept of all software changes or signature changes, this can 
be achieved by the use of a hash chain, where every entry in the log is 
'hashed' with the previous log entry's hash value. In a preferred 
Implementation, this hash chain, or the most recent part of it, is stored 
within a tamper-proof device such as a smartcard or the traditionally used 
logic cage. A smartcard Is preferred, since It can have a secret, unique 
identification code, and is thus non-reproducible and unfoigeable itself, 
frogram code stored in the unalterable ^iPllOM accesses the smartceitl 
during signature or software update. Since the latest hash value would 
always be stored on the smartcard, it would be impossible to change the 
sofbvare without creating a log entry, this vtrould ensure that all 
modifications to the software stored on the machine was accurately logged 
which L would be extremely useful la the event of a major Jackpot payout, 
the MOM can be proven to be unaltered by 1 the conventional means of 
placing it In a verification device. 

A moi-e detailed description of a possible implementation of a hash- 
chain unforgeable log can be found In the paper "Cryptographic Support for 
Secure Logs on Uiitrusted Machines" - see references above. 
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flach signature for & file would be linked to the file, but need not be 
contained within the file. In the event of a signature key revocation, new 
signatures may have to be downloaded from a network device or using the 
riiichlhe's bpeFaror 111636. IH ffis case." 1Kb neiv slpMies being ' 
S downloaded would indicate which file they are to attach to, and which 
signature they re{)lace. this would he more economical than re-downloading 
the whole software set ufioii a signature key change. 

hi an alternative implementation, multiple public keys for each 
corresponding signature are stored. At any one time, only one for each 

Id Interested party would be active, the schedule for selecting which public 
keys are active could be time-based, so signatures would In effect have a 
lifetime. Periodically, the machine would have to be updated with the new 
signatures as either a maintenance task or upon the payments of an 
additional license fee to the manufacturer or jurisdiction. 

IS In the event of an authentication failure due to signatures [md 

therefore the license to run the software) expiring, it could be implemented 
that the casino would have a 'gmce' period to obtain new keys be^re the 
machine completely refused to run tiie software, fot example, the machine 
could display a notice, slmllat to that found on computet shanwate 

20 products, informing of the license expiry that would have to be manually 
accepted by the machine operator every time the machine was reset 

In the alternative implementation, it would also be possible to have 
multiple signatures active for each party at any one time. One possibilify 
would be that these would correspond to different divisions within the 

2S manufacturer or Jurisdiction, this would aid tracing in the event of a 
software or security failure. 

Another security aspect that will be Implemented in the gaming 
machine is the concept of version control. Each digitally signed piece of 
software stored on the mass storage device within the machine will have an 

30 associated identification code and version number. It will be impossible to 
download software with a corresponding Identification code and an earlier 
version number. 

It will be appreciated by persons skilled in the art that numerous 
variations and/or modifications may be made to the invention as shown in 
3S the specific embodiments without departing from the spirit or scope of the 
Invention as broadly described, the present embodiments are, therefore, to 
be considered in all respects as illustrative and not restrictive. 
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CLAIMS 

1. A prograiMiiiaijle contrallei-, Iticltidlttg a readable and writable stomge 
ffleaiis id h^d a fitp^mm diiring its execujJpii by the jmgra^ 
cotittollef, and pfogram authentication means comprising dlgltail slgnatute 
verification means which verifies a digital signatnte associated with the 
program and prevents execution of the program if the digital signature is not 
valid, the digital signature being geuereted by a method that does tiot include 
enctypUDtt such that de-encrypHou is not performed during the digital 
signature veriftcatidii. 

2. the controller as claimed in claim 1, wherein a plurality of signatures 
are applied to the game software. 

3. A programmable controller, including a readable and writable storage 
means to hold a program during its execution by the programmable 
controller, and program authentication means comprising digital signature 
verification means which verifies each of a plurality of digital signatures 
associated with the progi-am and prevents execution of the program if any 
one of the digital signatures is not valid. 

4 the electronic gaming machine as claimed in claim 2 or 3, wherein 
one of the digital signatures is applied to the software by or on behalf of a 
manufacturer of the electrordc gaming machine. 

5. the controller as claimed in claim 2, 3 or 4, wherein one of the digital 
signatures is applied to the software by or on behalf of a Jurisdictional 
authority that has Jurisdiction to authorize use of the game in a location in 
which the game is Installed. 

6. the controller as claimed in claim 2, 3, 4 or 5, wherein one of the 
digital signatures is applied to the software by or on behalf of a casino in 
which the electronic gaming machine is installed. 

7. the controller as claimed in any one of claims 1 to 6, wherein the 
programmable controller is used to control the operation of a game played on 
an electronic gaming machine and the program with wliich the digital 
signature is associated Is a game program or a component of a gome program. 

8. the controller as claimed in any one of claims 1 to 7, wherein the 
signature verification means stores one or more public signature keys in 
secure storage and uses a public signature key horn the secure storage to 
verify the digital signature associated with the game program. 
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9. the doiitfollef as claimed in claim fl, wherein the slgtiatute veriflcaUdti 
means Includes slgnattife revocation means tot removliig public slgnatuie 
keys from a set of valid keys as a method of revoking signature keys. 

10. the controller as claimed In claim 9, wherelnlhe slgnahue revocatloii 
S means Is activated by a password such that when the password is entered it 

allows a particular public signature stored in the veriflcatloii means b be 
changed or deleted. 

11. the controller as claimed In claim 9 or 10. wherein a digital revocation 
certificate can be used, which must be validated by the vaiidatiofl means 

10 before it causes a public signature key to be revoked. 

12. the controller as claimed In claim 9, 10 or 11, wherein revocation is 
time based, whereby the machine stores a set of public signature keys, which 
are valid for a fixed period of time, after which they are automaticfllly 
revoked. 

19 13. the controller as claimed in claim 12, wherein the fixed period before 
automatic revocation is a period of 10 yean. 

14. the controller as claimed in claim 12 or 13, wherein identification of a 
current active public signature is based upon comparison of a time stamp 
embedded in the signature with a time and date obtained horn a current time 

20 value from a system clock. 

15. the controller as claimed in any one of claims 6 to 14. wherein a 
plurality of equivalent signatures are provided in the secure storage, such 
that any one of the equivalent signatures can be used as part of the 
verification authorization. 

28 IB. the controller as claimed In claim IS, whei«ln each of the equivalent 
signatures Is Identifiable as being associated with a person or entity 
responsible for issuing or authorizing the program 

17. the controller as claimed in any one of claims 1 to IB, wherein the 
verification program records versions of a program that have been verified 

30 and will not re-verily versions earlier than the latest version that it has 
already verified. 

18. the controller as claimed In claim 17, wherein the record of verified 
program versions Is stored In a secure log and entries In the record are 
itnforgable and unalterable after being written. 

35 19. the conlioller as claimed in claim Ifl, wherein a record of digital 
signature key updates Is kept in the secure log. 
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20. The controller as claimed in claim 18 or 19, wherein the secure log is 
recorded in a tamper proof device. 

21 the controller as claimed In claim 20, wherein the tampet proof device 
is a smartcaid or contains a smarlcard chip. ~ 
22. A method of verifying a program or a program component for a 
programmable controller, including a readable and writable storage means to 
hold a program during its execution by the programmable controller and 
program authentication means comprising digital signature verification 
means which verifies a digital signature associated with the program, the 
digital signature being generated by a method that does not include 
encryption and the method including a step of veritying the digital signature 
against a key, in which de-encryption is not performed during the digital 
signature verification, and preventing execution of the program if the digital 
signature is not valid. 

21. Hie method as claimed in claim 22. a plurality of signatures are 
appUed to the game software. 

24. A method of verifying a program or a program component for a 
programmable controller, including a readable and writable storage means to 
hold a program during its execution by the programmable controller, and 
program authentication means comprising digital signature veriHcation 
means which verifies each of a plumlity of digital signatures associated with 
the program, and the method Including steps of verifying each of the digital 
signatures against a respective key, and preventing execution of the program 
if any one of the the digital signahires is not valid. 

25. the method as claimed in claim 23 or 24, wherein one of the digital 
signatures is applied to the softwaie by or on behalf of a manutticturer of the 
electronic gaming machine. 

20. the method as claimed in claim 23 or 24 or 25. wherein one of the 
digital signatures Is applied to the software by or on behalf of a Jurisdictional 
authority that has jurisdiction to authorize use of the game in a location in 
which the game is installed. 

27. the method as claimed in claim 23 or 24 or 2S or 2B, wherein one of 
the digital signatures is applied to the software by or on behalf of a casino in 
which the electronic gaming machine Is Installed. 

28. the method as claimed In any one of claims 22 to 27, wherein the 
programtnable controller is used to control the operation of a game played on 
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an electronic gamJttg machljie and the ptogtam with which the digital 
slghatute Is associated Is a game progtam or a cottipottent of a game program. 

29. itietBod as ^c^ of clalms_22 to 2fl, whei^ln the 

slgtiature verification means stores one or more public signature keys In 
secure storage and uses a public signature key from the secure storage to 
verily the digital signature associated with the game program. 

30. the method as claimed In claim 28. wherein the signature verlflcaUoti 
means Includes signature revocation means for removing pubhc signature 
keys from a set of valid keys as a method of revoking signature keys. 

31. the method as claimed In claim 30, wherein the signature revocaUon 
means Is activated by a password such that when the password Is entered It 
allows a particular public signature stored In the verification means to he 
changed or deleted. 

32. the method as claimed In claim 30 or 31, wherein a digital revocation 
certificate can be used, which must be validated by the validation means 
before It causes a public signature key to be revoked. 

33. the method as claimed In claim 30. 31 or 32. wherehi revocation Is 
time based, whereby the machine stores a set of public signature keys, which 
are valid for a fixed period of time, after which ^ey are automatlcfiily 
revoked. 

34. The method as claimed In claim 33, wherein the tbced period befbre 
automatic revocation Is a period of 10 yearn. 

39. the method as claimed In claim 33 or 34, wherein Identification of a 
current active public signature Is based upon comparison of a time stamp 
embedded In the signature with a time and date obtained from a current time 
value from a system clock. 

3B. the method as claimed In any one of claims 20 to 3S. wherein a 
plurality of equivalent signatures are provided In the secure storage, such 
that any one of the equivalent signatures can be used as part of the 
verification. 

37. the method as claimed In claim 36, wherein each of the equivalent 
signatures Is Identifiable as being associated with a person or entity 
responsible for Issuing or authorizing the program. 

38. the method as claimed In any one of claims 22 to 37, wherein the 
verification program records versions of a program that have been verified 
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and will not re-verify vetsiotts earllet than the latest vetsloti that It has 
already verified 

39. 5ie method as ckl^^^^ wheieln tliej^cotd ofverifled 

ptogtam vetslotis Is stored Iti a secure log and entries In the recottl an 
S unfotgahle and unallemble aftet being written. 

40. The method as claimed In claim 39, wherein a reconl ot dlgited 
signature key updates la kept In the secure log. 

41. the method as claimed In claim 39 oi- 40, wherein the secure log is 
recottled in a tamper preof device. 

10 42. the method as claimed in claim 41, wherein the tamper ptoof device is 
a smattcatd ot contains a smaHcatd chip. 
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